Advertise
Resources
Member, Beacon International Group, Ltd.
Data security experts say the first step to ensure that a vendor is a worthy business partner is performing due diligence.
Before inking a deal, a company should verify that a vendor has a business continuity plan that specifies its data backup measures. The vendor also should be able to demonstrate how quickly it can resume business after a data breach or other peril interrupts operations, experts said.
Companies also should obtain a security assessment of the vendor, experts said.
"More vendors are doing their own security assessment, and that will suffice" if the vendor arranges for a qualified expert to conduct it, noted David J. Navetta, managing member of InfoSecCompliance L.L.C. of Denver. That way, the vendor does not "have to reinvent the wheel every time they enter a transaction."
Companies should understand, however, that a security assessment firm could use one of several standards to assess a vendor's security because there is no universal standard.
Commonly used security standards, though, are the Statement on Auditing Standards No. 70 issued by the New York-based American Institute of Certified Public Accountants; standard 17799 from the Geneva, Switzerland-based International Organization for Standardization; and the Control Objectives for Information and Related Technology standard, or COBIT, issued by the IT Governance Institute, a Rolling Meadows, Ill.-based research think tank.